You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

215 lines
7.0 KiB

<?xml version="1.0" encoding="utf-8"?>
<html xmlns="">
<title> CAcert -- TTP-Assisted Assurance Policy </title>
<style type="text/css">
.comment {
color : steelblue;
<div class="comment">
<table width="100%">
Name: TTP-Assist <a style="color: steelblue" href="">COD13.2</a><br />
Status: DRAFT <a style="color: steelblue" href="">p20100913</a><br />
Editor: <a style="color: steelblue" href="//">Ulrich Schroeter</a><br />
Licence: <a style="color: steelblue" href="//" title="this document is Copyright &copy; CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at" > CC-by-sa+DRP </a><br />
<td valign="top" align="right">
<a href="//"><img src="images/cacert-draft.png" alt="TTP-Assist Status - DRAFT" height="31" width="88" style="border-style: none;" /></a>
<h1> TTP-Assisted Assurance Policy </h1>
<h2 id="s0"> 0. Preliminaries </h2>
This sub-policy extends the
<a href="//">
Assurance Policy</a> ("AP" => COD13)
by specifying how Assurers can be assisted by
outsourcing the identity documents verification
component of assurance to trusted third parties (TTPs).
Other definitions and terms can be found in AP or in
<a href="//">Assurance Handbook</a>
<h2 id="s1"> 1. Scope </h2>
This sub-policy is restricted to members located
in areas not well-served with Assurers.
It serves a goal of promoting both Assurers and Members in those areas.
<h2 id="s2"> 2. Roles </h2>
<h3 id="s2.1"> 2.1 Trusted Third Party </h3>
A Trusted Third Party ("TTP") is a person who is traditionally respected
for making reliable statements to others, especially over identification
documents. Typically, notaries public (anglo),
Notaries (European), bank managers, accountants
and lawyers.
<h3 id="s2.2"> 2.2 The Assurer (aka TTP-admin) </h3>
To employ a TTP in an assurance,
the Assurer must be a <a href="//">Senior Assurer</a>.
The Assurer must be familiar with the local
language and customs.
<h3 id="s2.3"> 2.3 Member </h3>
A Member ("assuree") who is located in a place not well-served
by Assurers may use the TTP-assisted assurance.
<h2 id="s3"> 3. The Assurance </h2>
Assurance assisted by TTP must meet these requirements:
<ol style="list-style-type: lower-alpha;"><li id="s3.a">
The Assurer must positively confirm the identity and
suitability of the TTP.
</li><li id="s3.b">
The TTP and the Member must meet face-to-face.
</li><li id="s3.c">
The TTP confirms the details supporting the Assurance Statement.
</li><li id="s3.d">
The Assurer makes a reliable statement to confirm the
Assurance Statement.
</li><li id="s3.e">
Assurance must be marked as TTP-Assisted
(e.g., by use of TTPAdmin flag).
<h2 id="s4"> 4. Assurance Officer ("AO") </h2>
The Board routinely delegates its responsibilities to the
Assurance Officer (and this section assumes that, but does
not require it).
A report is requested annually from the Assurance Officer
on performance of this policy for the association's
annual report.
<h3 id="s4.1"> 4.1 Practice </h3>
Assurance Officer should prepare a
<a href="//">detailed documentation</a>
<a href="//">AH</a>
that meets the needs of this policy, including:
Form for TTPs
Guide for TTPs.
Form for TTP-assisted assurance (used by Assurer)
Guide and protocol for Assurers.
Mechanisms for contacting Assurers available for
TTP-assisted assurances.
Definition of
<a href="//">
Senior Assurer</a>.
<h3 id="s4.2"> 4.2 Deserts </h3>
The Assurance Officer maintains a
<a href="//">list of regions</a>
that are designated as '<i>deserts,</i>' being areas that are so short
of Assurers as to render face-to-face Assurance impractical.
In each region, approved types of TTP are listed (e.g., Notary).
The list is expected to vary according to the
different juridical traditions of different regions.
Changes to the regional lists are prepared by
either an Organisation Assurer for that region
(as described by OAP)
or by two Assurers familiar with the traditions
in that region.
Changes are then submitted to the Board for approval.
Use of a type of TTP not on the list must be approved by
AO and notified to Board.
It is an explicit goal to reduce the usage of
TTP-assisted assurances in favour of face-to-face Assurance.
In coordination with internal and external auditors,
the Assurance Officer shall design and implement a
suitable programme to meet the needs of audit.
Where approved by auditors or Board, the Assurance
Officer may document and implement minor variations to this policy.
<h2 id="s5"> 5. Topup Assurance </h2>
AO is to operate a <cite>Topup Assurance Programme</cite>
to help seed deserts with Assurers.
A topup assurance will add additional Assurance Points
to those gained from two previously conducted TTP-assisted assurances,
in order for a Member to reach 100 Assurance Points
for the express purpose of becoming an Assurer.
A topup assurance is conducted by a third Senior Assurer
according to the following requirements:
<ol><li id="s5.1">
Assurer Challenge must be completed as passed by Member.
</li><li id="s5.2">
The topup must be requested by Member for
purpose of enabling the Member to reach Assurer level.
</li><li id="s5.3">
Topup Assurer must be a Senior Assurer,
and must be independent of the TTP-assist Assurers.
</li><li id="s5.4">
The Topup Assurer reviews the two TTP-assisted assurances,
and conducts other checks as set by the Assurance Officer.
The normal face-to-face meeting is not conducted.
</li><li id="s5.5">
Topup Assurer may award up to 35 points.
</li><li id="s5.6">
Assurance must be marked as Topup
(e.g., by use of new feature with TTPAdmin flag).
Each topup is to be reported to AO.
Topup is only available in designated deserts.